ESET Analysis: At Least 15% of Home Routers Unsecured

As a part of BETA versions of ESET Internet Security, ESET introduced a new feature, Home Network Protection. This feature has enabled users to scan their home routers for vulnerabilities, malicious configurations, exploitable network services and weak passwords.

Since its release in April, ESET has tested more than 12,000 routers of users who agreed to share their data anonymously with ESET for statistical purposes.

The analysis shows that almost 7% of the routers tested demonstrated software vulnerabilities of high or medium severity. Port scanning revealed that in many cases network services were accessible from internal as well as from external networks.

“In particular, unsecured services such as Telnet shouldn’t be left open, not even to local network, which was – unfortunately – the case with more than 20% of the routers tested,” says Peter Stančík, ESET Security Evangelist.

The results also prove that 15% of the routers tested used weak passwords, with “admin” left as the username in most cases.

“During the test, we tried common default usernames and passwords and also some frequently used combinations. It’s disturbing that more than one in seven of such simple simulated attacks was successful,” comments Stančík.

Most of the software vulnerabilities – slightly over 50% - that were discovered during testing by ESET Home Network Protection were bad access rights vulnerabilities.

The second most frequent vulnerability (40%) discovered by the ESET Home Network Protection test was a command injection vulnerability. Command injection aims for the execution of arbitrary commands on the host operating system via a vulnerable application, largely with insufficient input validation.

Nearly 10% of all the software vulnerabilities found were so called cross-site scripting (XSS) vulnerabilities that enable attackers to modify router configuration in order to be able to run a forged client-side script.

“The results collected by ESET Home Network Protection during BETA testing of ESET security solutions clearly show that routers can be attacked fairly easily, by exploiting one of the frequently found vulnerabilities. This makes them an Achilles heel for the overall internet security of households as well as small businesses,” adds Stančík.

On top of scanning routers and testing them for common vulnerabilities, ESET Home Network Protection also provides an easy-to-access overview of devices connected to a local network, categorizing them by type and time of connection. This helps ESET users to see how safe their networks really are.